Privacy

What CommunitySafe does NOT collect

• No demographic data — race, ethnicity, religion, age, gender, sexual orientation are not stored, displayed, or analyzed anywhere in the app.
• No individual identification from public data — police-incident data is aggregated to neighborhood-level only; names, addresses below the block level, plates, and photos are never surfaced.
• No location tracking. Geolocation is requested only when you tap "Use my location", used once for the lookup, and not stored.
• No third-party advertising, no profiling cookies, no data sales.
• Browsing the map / safety scores / community feed does NOT require an account. Account-required features are explicitly labeled (Personal Safety, CommunitySafe posts).

What is stored on your device

CommunitySafe uses your browser's localStorage to remember preferences and speed up subsequent loads. Items in localStorage are not transmitted to our servers except where noted (the anonymous session token is sent to authorize protected API calls).

• travelsafe.token — anonymous session JWT, minted per-device on first visit. Sent to the server with protected requests so anonymous-session state (e.g., your Community moderation history) can be remembered without an account.
• travelsafe.city.v1 — currently-selected city.
• travelsafe.area.v1 — currently-picked neighborhood, per city.
• travelsafe.saved-areas.v1 — your saved neighborhoods (up to 5).
• travelsafe.swr.v1.* — cached API responses for snappy navigation (15-min TTL).
• travelsafe.safety.disclaimer.ack — flag that you've dismissed the Personal Safety disclaimer.
• travelsafe.assistant.* — your AI Assistant conversation history. Kept locally so you can review past answers; the prompts themselves are transmitted to our AI provider — see AI Assistant below.

To clear everything: open your browser settings and delete site data for this domain, or open DevTools → Application → Local Storage → clear.

When you create a CommunitySafe account

The Personal Safety and CommunitySafe features require an account. When you register we store, in our database:

• Your email address and a one-way hashed password (bcrypt — the plaintext is never written to disk and never transmitted to anyone). Optional display name.
• For each Trusted Contact you add: their email and/or phone number, the relationship label you chose, and your confirmation that you have their permission to contact them.
• For each Check-In timer you arm: the scheduled expiry, your optional note, and the last latitude/longitude you shared to that timer.
• For each Live Share link you generate: the cancel token, the recipient channel (email/SMS), and the expiry.
• For each Web Push subscription you opt into: the browser-issued endpoint URL and the two public crypto keys (used to encrypt notifications). Push subscriptions never carry personal content.
• Your CommunitySafe post bodies, comments, and reports — and an append-only edit log if you revise a post.
• Moderation records: post flags, suspensions, and any blocks/mutes you set.

You can export or delete your account directly from inside the app: go to Personal Safety → Your account & data. Export downloads a single JSON file with every record we hold about you. Delete is irreversible — it wipes your account, posts, comments, check-in timers, trusted contacts, push subscriptions, and live-share links in one transaction. If you can't access your account, use the contact path in Contact below and we'll process the request within 30 days. Local browser data is not part of the server-side account and can be cleared at any time from your browser settings.

What we receive when you use the app (without an account)

• Standard server logs from our hosting provider (IP address, user-agent, request path, timestamp). Retained per the provider's default retention.
• Anonymous rate-limiting state: a short-lived in-memory counter keyed by IP+endpoint to throttle abuse. Not persisted.

We do not sell, license, or share user data with third parties for advertising or marketing.

AI Assistant

The optional AI Assistant runs your prompts through a third-party large language model (currently Google Gemini via Google AI Studio, or another configured provider). What this means:

• The text of your prompt — including any free text you type and the recent conversation turns — is transmitted to the AI provider over HTTPS and processed by their model.
• The assistant does NOT have access to your account data, your check-in timers, your contacts, or your location. It can call internal CommunitySafe tools that return aggregated city / neighborhood data (the same data the rest of the app shows).
• Outputs are generated by a probabilistic model and can be inaccurate. Verify any numeric claim against the source URL the assistant cites.
• We rate-limit the assistant to 10 requests per minute per IP to manage cost.
• The provider's own data-retention policy applies to prompts in transit and at rest on their side. Review your chosen provider's privacy terms.

If you prefer not to use AI, simply don't open the Assistant tab — nothing else in the app sends data to the AI provider.

Third-party services your browser contacts

When you use certain parts of the app, your browser makes requests directly to:

• Wikimedia Commons (upload.wikimedia.org) — source images for the city backdrops. Routed through our image optimizer in most cases so your IP isn't exposed.
• CartoDB (basemaps.cartocdn.com) — basemap tiles for the crime map and safe-route view. Your IP is exposed to CartoDB for each tile request.
• Google AI Studio / Gemini — only when you use the AI Assistant (above). Prompts are sent server-side; your IP is not directly exposed to the provider, but the contents of your prompt are.

Map routing (OpenStreetMap's OSRM) and all police open-data feeds are called from our server, not from your browser, so those services don't see your IP.

Public data sources we display

CommunitySafe surfaces police-incident data that the cities themselves publish through their official open-data portals (SDPD, LAPD, SFPD, Chicago CPD, NYPD, Phoenix PPD, and 24 others). We do not augment, predict, or editorialize that data. The FBI national-rate comparison comes from the FBI Crime Data Explorer 2025 release at cde.ucr.cjis.gov.

GDPR / CCPA / your rights

If you have a CommunitySafe account, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct any inaccurate data.
• Erasure — delete your account and the associated records listed under "When you create a CommunitySafe account" above. The fastest path is the Delete my account button in Personal Safety; it runs immediately and is irreversible. Replies left by other users on your deleted posts are removed along with the parent post, since the conversation is unintelligible without it.
• Portability — request a machine-readable export.
• Withdraw consent — disable Push, delete Trusted Contacts, or cancel pending Check-Ins from within the app at any time.

Access, portability, and erasure are self-service from the Personal Safety page. For rectification or any other request, or if you can't access your account, use the contact path in Contact below — we'll respond within 30 days. Note that even without an explicit account, browsing CommunitySafe creates an anonymous device session (a server-side User row keyed by a random device token, with a synthetic device-*@travelsafe.local email). That anonymous session is also a valid target for export and erasure through the same Personal Safety controls.

Children

CommunitySafe is not directed to children under 13 and we do not knowingly collect personal information from children. If you believe a child has created an account, email us and we will remove it.

Security

Passwords are hashed with bcrypt before storage. Transport is HTTPS-only with HSTS preload. Sensitive endpoints are gated behind per-user session tokens, and operator endpoints (cron, diagnostics) are gated behind a separate shared secret.

Contact

The fastest paths are in-app: Personal Safety → Your account & data for export / erasure, and the Report button on any post for content concerns. For anything else — corrections, questions about this policy, or DSAR requests you can't fulfill via the in-app controls — open a privacy issue on the project's code repository at github.com/damienmcdade/CommunitySafe/issues. Mark it "PRIVACY" in the title and we'll respond within 30 days.